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1. Spammus Historicum 

2. Spammus Economicus 

3. Spammus Interruptus 

4. Question & Answer 

• Beer & Spam at 8:30pm 
Room: "Reunion G" 



mnnJ&s I Spam: A Personal History 



Spam received per day 
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Source: spam nation, info/stats 



mnnJ&s I Spam: A Personal History 
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Dec Jan Feb 
D spam submitted ■ Reports sent 



Auerage Spam : 12.3 messages per second Max Spam: 22.1 messages per second 
Total Spam (last year): 337S33163 messages 




Tue NOU 13 13:31:02 EST 2007 
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First spam was sent in 1978 

DEC marketing department advertising a 
seminar in California 

- Has anything really changed? 
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Not much criminality yet 
Spamming still legal in most places 
First regex filters introduced 
Attack: 

- Simplistic shrouding of words 
-vlagra, c1al1s 

Response: Smarter regular expressions, 
and weighted rule sets. 
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• CAN-SPAM makes spamming illegal 

• Some spammers move underground, 
others become "email marketers" 

• Volume explodes 

• Attack: Try hiding in fancy HTML. 

<htmlximg src=" lttp : //www . your -info- station . com/ S la /chalkboard, gi 
"xdivXahref = ff http : //www. your- info- station . com/Sla/eb .php? 
x=52c ff ximg src="http : //www. your- in f o- 
s tat ion . com/ S la /pitch . gif n x/a></html> 

Response: Filter on URLs, not words. 
Introduce Bayesian filtering. Blacklists 
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Bill Gates predicts spam will be gone in two 
years 

Attack: 

- Switch to botnets 

Response: 

m prove reputation systems 
Build enormous spamtraps 
mplement greylisting 



^ ISpam Circa 2005-Present 



Attacks: 

- Poison statistical filters 

- Hire full-time virus writers 

- Diversify into phishing and identity theft 

- Work with the mafia on stock spam 

- Rinse and repeat 

Responses: 

- Fingerprint-based filters 
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Average filter accuracy is 90% 

- 1/10 of spam messages get through 

mprove accuracy to 95% 

- 1/20 of spam messages get through 

Solution? 

- Double spam volume 

- Same profit 



Botnet Architecture 
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How often do we see a unique Botnet IP? 

The Number of Unique IP's versus the number of times reported 
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* Izombies are Fickle 



• 201.21.174.207 

- RBLs did not block this sender until it had sent 
55 emails over 19 days. 

-All 55 were "rejected" by throttling. 

-After the RBLs caught up, a further 379 
messages were received over 1 3 days 



Botnet Architecture 
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EHLO foo.com 
250 Ok 

MAIL From: <b 
250 Ok 
RCPT To: < /id 

250 Ok 

DATA 

354 Go a/?ead 



250 Queued - Now I make some money 
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Spammersane Less PalienLllian Lecjtimate Senders 
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^ I Intermission 



mproving filters is hard 
Identifying zombies is hard 
What can we do? 
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What can we do? 

Attack the economics of the botnet 



Traditional Email Security 



MailChannels Traffic Control 
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Six Overloaded Servers 



Two Servers 
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Room to Scale to 
Meet Escalating Volumes 
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Typical SMTP Session ■ Slow ed Dow n Session 
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Traffic Control: Second Generation: SMTP Proxy Internals 



SMTP Clients 



SMTP Multiplexing Proxy 
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SMTP Multiplexing 




r^ 




►2?l 



ZOMBIES LEGITIMATE 

SENDERS 



27 



500 



MTA Connections 



■400 



300 



VI 

O 






:w 



100 




?\/\ 






.! ! i' 



i! 



m*AW£f\w>w v 




Rb? 



ujHIlJi 



IwWw 



kvl/ 



T ^ ^ T 






h- i- Tf C& t- 

O i- t- i- <M 



^^^^^^^^^^^^*« 



c « o o o o 



W^MCJMiNMrtrtrt^^flrtt^^n^^^^iflirtii; 






s s 



Dalelirne 



m:a 



mta fr99 



rnta_qLi9Lie 



^ lone of these kids is not like the others... 

MAILCHANNELS | 



Delivered 
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RBLs rejected 70% of the likely Storm 
botnet zombies 

Of those that remained... 

- 74% did not complete delivery of a message 

• 10% were detected as consumer operating systems 
(Windows 98, Windows XP, etc.) 

• The rest were unknown, and therefore throttled 
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1 .Spamming is driven by economics 

2.Botnet operators need to make money 

3. Slowing down spam makes it go away 

• Beer & Spam at 8:30pm 
Room: "Reunion G" 



Nick Shelness, Former CTO, Lotus: 

"I am able to report that I have been running an instance of 

TrafficControl in my own network for four months, and that it has 

reduced the volume of spam hitting my boundary MTAs on most days 

by approximately 95%." 



questions@mailchannels.com 

+1-778-785-6143 

www.mailchannels.com 
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